Technology: 20 critical information security controls

Information security programs are mandatory for certain industries and most government agencies. It can bewilder in-house counsel to navigate the many technical and administrative requirements. Fortunately, there are a number of resources to help. One framework, in particular, is gaining acceptance as a best practice for information security programs: the SANS Institute’s Top 20 Critical Controls. Both attorneys and management can use the SANS controls to prioritize and fund information security initiatives.

Following is a primer for nontechnologists on the objectives and benefits of each of the Top 20 Controls.

1. Inventory of authorized and unauthorized devices. The number of information systems has exploded in most large organizations, resulting in a vast IT infrastructure. Unwinding this complexity is a critical first step to knowing what needs protection. Creating accurate, up-to-date inventories of information and systems is one of the most difficult of the 20 controls, but it is an essential prerequisite to the rest.

2. Inventory of authorized and unauthorized software. Ditto.

3. Secure configurations for hardware and software on mobile devices, laptops, workstations and servers. Nearly all IT components have a variety of dials and switches used to configure them, and some settings are more secure than others. This control calls for documented settings that are and are not allowed.

4. Continuous vulnerability assessment and remediation. Technology tools should scan IT environments searching for the equivalent of unlocked doors and windows, known as vulnerabilities. Vulnerability assessment should occur on a continuous, recurring basis.

5. Malware defenses. Malware (computer viruses and malicious programs) invades corporate IT systems and causes damage. Enterprise-class anti-virus products defend against far more than just viruses and should be deployed, monitored and properly configured.

6. Application software security. Software developers should avoid common programming mistakes that introduce vulnerabilities in software applications. Flaw-detection products should scan the source or program code prior to being released.

8. Data recovery capability. Make sure data is backed up and recoverable to minimize risk of actual data loss stemming from natural disasters, business disruptions, computer crimes and IT failures.

9. Security skills assessment and appropriate training to fill gaps. Do not trim costs of training and education for personnel responsible for enterprise data protection. Training should not be limited to IT.

10. Secure configurations for network devices such as firewalls, routers and switches. When this control is lacking, particularly applicable to creation of safe network zones, a hacker may compromise one system to attack another system in the enterprise. Deploying this control prevents the attacker from accessing more sensitive systems.

11. Limitation and control of network ports, protocols and services. Implementing this control removes many IT services that reach out to the Internet and respond to attackers by serving like a white pages or a fast-food drive-through window.

12. Controlled use of administrative privileges. Large organizations often have too much access inadvertently granted to too many people. The goal here is to limit powerful system access.

14. Maintenance, monitoring and analysis of audit logs. Enterprises should not collect unnecessary data, nor should they ignore the data they do collect.

15. Controlled access based on the need to know. Only grant data access on a need-to-know basis. This control corrects the common practice of blindly giving a new employee the same access as his manager or co-worker.

16. Account monitoring and control. Also related to controls 12 and 15, this control alerts management of unauthorized activity stemming from illicit intentions or unintentional mistakes.

17. Data loss prevention. This control helps detect large data breaches in the enterprise network, an unfortunate reality many large enterprises discover only after sending sensitive data to criminals for months and years prior to discovery.

18. Incident response and management. This control addresses an organization’s ability to limit hacking damage, preserve reputation and protect customers.

19. Secure network engineering. This control seeks to establish a competency in secure network architecture and the design and deployment of secure networks. See controls 4, 7, 9, 10, 11, 13 and 17.

20, Penetration tests and “red team” exercises. Employ good-guy hackers, often called “white-hats” or “red teams,” for simulated hacking to discover unknown vulnerabilities. Include technical testing such as social engineering, where attackers attempt to get employees to divulge passwords and grant access, based on a natural willingness to help.